Should I tell my boss I have discovered their passwords and they are too weak?

While there is no doubt that weak passwords are an issue for your company, I would strongly advise against telling your boss about the things that you have done.

Your company decided against giving temporary workers access to sites and resources for a reason. Not only did you gain unauthorized access to the wireless LAN by guessing the password to the router, you also extended that access by probing the credentials against other resources - Resources that you were not supposed to have the password to. You then basically shoulder surfed your boss.

While there seem to be flaws in your employers policy concerning the access to company resources, and their password policies, all of these things could be considered 'hacking' by your employer and were definitely outside of your authorization.

If I were you I would log off the WLAN and ask your employer for the password if you want to have access to it. Apart from that you should stop trying to use other peoples passwords on any access points just 'to see if the same pattern was used'. Depending on the legal system of the involved countries you can very well face legal problems for these kinds of acts.

So what should you do with the information you have?
If your employer gives you a password to a service or a resource you could point out, that e.g. that password would easily be guessable for other people. I would not mention the other password here directly though.
If your boss seems interested you could volunteer to research password best practices for the company. If they are serious about it, this would eliminate your concerns.
If there is an IT person in the company you could bring these concerns to him as he will probably understand the need for a secure password policy better.


Unless you have received an explicit or implicit(*) mandate for doing so, trying to guess passwords to access resources that were not granted to you is a hostile action, even if the passwords are trivial or written in a place that you should not have read. If you find a leaflet with "Confidential - reserved for allowed people" on cover page and you read it nonetheless, it is also a hostile action.

The most you can do is in the case of the leaflet say "I've seen there a confidential document there, that someone could read without anybody else noticing it. Does it really contain sensitive information and if so shouldn't it be stored in a more secure place?" -> meaning I have seen a possible security problem and I warned you but I have respected the confidential mark.

Or if you have discovered the password of a co-worker (and if the following story is possible): "Hey I had to log on a computer, I was thinking about something else, and I entered a password I use at home. Then I realized that I was logged on your account. I immediately logged out, but you really should change that password for a professional account"


*Mandate can be implicit if you are in charge of evaluating the overall security. But in that case you should ask whether you can continue as soon as you have discovered a trivial password.


I'm saying much the same thing as others, but this really could be a legal concern for you (I'm not a lawyer). In the UK (*) one relevant act is the Computer Misuse Act 1990 which says right at the start:

1 Unauthorised access to computer material.

(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer

(b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case.

i.e. if you so much as try to access anything that you know you shouldn't.

Subsection 2 says it doesn't matter what computer, what data, or what kind of data, nothing makes it OK.

Subsection 3 says:

(3)A person guilty of an offence under this section shall be liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

And then section 2 of the act says Unauthorised access with intent to commit or facilitate commission of further offences. - you committed an act of unauthorized access (gaining router access) so that you could commit another act of unauthorized access (wifi access).

In one of your comments, you say

no harm meant to be done

But Section 3 of the act is Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc - even if you don't intend harm, if you act recklessly, that's enough. Joining an unsecured, unknown, unauthorized, personal device (phone) to the company network 'could' put them at risk of all kinds of cryptolocker style blah blah.

I can strongly doubt that this will apply in force to someone in a small business accessing a router, but if they want to argue it, you've taken a temporary job, broken into their network, their email, their domain / website hosting, carelessly put their network and therefore their company operation at risk, and who knows what theft, blackmail, extortion or damage you were planning to commit.

And what's worse, they don't understand IT, they aren't interested in how much fun it is or how curious it is, or how serious or trivial your actions were, if they get the wrong end of the stick it won't look good for you.

Should I tell my boss their passwords are too bad?

Yes, you should. But don't unless you have reason to think they will take it well. And they should care. But they don't. And it's not your company and not your problem. If they show interest, suggest why (in principle) stored browser passwords are risky, or shared accounts are risky, or simple passwords are risky.

If there is no backup, encourage them to have backups. "Hi, I was reading this news item about GitLab almost losing 300Gb of data and it made me think we don't have good backups here - we could set one up for $xyz, what do you reckon?"

(*) Other jurisdictions are available.